See also

Privacy is a very serious issue that impacts many Australians. According to research published by the Office of the Australian Information Commissioner (OAIC), 86 per cent of Australians are concerned about how their data is being handled.

Australia has long been a leading advocate of privacy regulation and ensuring that personal information is protected. The introduction of the Privacy Act in 1988 saw the appointment of the first Privacy Commissioner and the establishment of the privacy regulator, the Office of the Privacy Commissioner. In 2010, the OAIC was formed.

The Australian Parliament then passed amendments to the Privacy Act in November 2012, which took effect from 12 March. As part of those amendments, 13 Australian Privacy Principles (APPs) will replace the Information Privacy Principles and National Privacy Principles.

The 13 APPs can broadly be grouped into five categories - consideration of personal information privacy, collection of personal information, dealing with personal information, integrity of personal information and access to, and correction of, personal information. At the baseline, it impacts any organisation with revenues of over $3 million, subject to some limited exceptions. Businesses that breach these privacy guidelines can face penalties of up to $1.7 million.

If you take a look at all the privacy cases that have been recorded with the OAIC in the last 25 years, the statistics throw up an interesting picture. We have seen 322 privacy cases and enquiries since 1989 to 2012, with only eight determinations and a mere $6000 in fines. However, the scenario might completely change in the future. The new amendments will give enhanced power to the OAIC to accept enforceable undertakings, seek civil penalties for breaches and conduct assessment of privacy performance for both Australian government agencies and businesses.

What should businesses do?

Information is the life blood of any organisation. It is vital that organisations not only protect, but respect the use of information whether it is their own or that of their customers and use it in the way it was intended. They need to be fully aware of the private data they hold within their business and also how they plan to regularly monitor and manage it. Making people within the organisation aware of how to handle private data and also putting in place policies and procedures to ensure there are no accidental or malicious breaches is fundamental.

There are two considerations that organisations need to take into account in response to the privacy regulations:

Data privacy by design: Embed data privacy as the default setting in the way they conduct their business. Be pro-active in driving privacy policies and processes. Educate employees across the board and train employees on maintaining data integrity and compliance practices.

De-identify data: Make data non-identifiable. Organisations need to consider where data is being held, how it is being used, who they are passing it onto and whether they have the consent of the individual to do so. Businesses need to be careful when releasing data insights of customers and ensure that individuals are de-identified.

An effective strategy to achieving better security and privacy

Organisations should start implementing effective strategies to identify and address security risks at an enterprise level, to mitigate risk and assist in meeting the new privacy guidelines. Below are some steps that businesses can take:

Despite the best security technologies, data breaches still continue to occur. Technology in isolation is not the solution, organisations need to put the right control frameworks in place. Conducting a preliminary information security risk assessment at an enterprise level will determine if adequate preparation is being carried out. This ensures that reasonable measures are in place for information management lifecycles, data access controls (internal and external), service providers, systems, procedures, processes, technologies, governance and assurance.

For development initiatives, businesses need to build appropriate security measures in at the design stage to adequately handle personal information; for example, you should cover systems, procedures, processes, technologies, governance, and assurance aspects.

Where personal information is being handled, for new activities or changes to existing activities, it's recommended that businesses conduct an information security risk assessment for the system as well as a Privacy Impact Assessment.

In addition to implementing safeguards to prevent malicious or accidental interference with privacy, businesses should implement acknowledged good practices such as monitoring or preventing inappropriate transfer of personal information to unauthorized people or organisations (commonly referred to as data loss prevention).

Businesses should re-examine information lifecycle management for the entire enterprise to not only safeguard personal information when it is being acquired and used, but when it is being stored, de-identified, or destroyed.

Information management is critical to ensure that businesses organise their data and are in control of it. It involves discovering where information lives, classifying what it should be used for, identifying the ownership of the data and assessing how it can be disposed of confidentially if not required. Data governance ensures the right policies and procedures are in place regarding data ownership, usage and access controls to drive down risks. Regularly reporting and analysing metrics are key to help driving improved protection of sensitive data and achieving compliance.

In order to prevent data loss, businesses need to not only think about the security solution they need to implement, but also the business strategy they are going to put in place to avert it. There needs to be a top-down approach with executive level and business owner involvement. This not a function of just IT, they need a trained incident response team to implement the strategy. Organisations that currently use encryption, data classification or digital rights management technologies are important however they work in isolation. Typically they rely on the human element to make them effective. We all know individuals can make mistakes, therefore a strong framework of control is vital to drive better intelligence into the use of these technologies.

The introduction of the Australian Privacy Principles are an important step in the evolution of Australia's privacy laws and are just around the corner, so businesses will need to get their house in order with regard to data collection, storage, management and disposal. Data privacy is a journey, it is not a one-off event so organisations and agencies need to have an ongoing strategy to ensure they remain compliant.

Brenton Smith is Symantec Australia's Managing Director.

Actions

Share

Comments (0)

How Does this Site Work?

This site is where you will find ABC stories, interviews and videos on the subject of Technology and Games. As you browse through the site, the links you follow will take you to stories as they appeared in their original context, whether from ABC News, a TV program or a radio interview. Please enjoy.